Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gumo
New Contributor II

Created on ‎07-30-2024 03:21 AM

SSL-VPN,AD Cannot attract users

FortiGate, Firewall cannot pull users while doing SSL-VPN. It is taken in the group from all other user/groups. The user portal is actually the current users of the portal, Users/group is mapped to the port.

prtl.png

Labels:
363
0 Kudos
3 REPLIES 3
saleha
Staff
Staff

Created on ‎07-30-2024 05:09 AM

Hi Gumo,

 

Thank you for reaching out. If you are using forticlient to connect to the vpn at what percentage does the connection fail. Also it is recommended to review config make sure if you are using split-tunnel for your sslvpn portals and have user accounts belonging to different sslvpn user groups that the firewall policy ordering is correct where the top policy on the list with source interface as ssl.root has the right usergroup. If the issue is purely about sslvpn I recommend running sslvpn and fnbamd debugs as well as saml debugs if applicable:
di de reset

di vpn ssl debug-filter src-addr4 x.x.x.x -------- use this command if you want to filter to single connection attempt where x.x.x.x is the public ip or the connecting forticlient agent

di de app sslvpn -1

di de app fnbamd -1

di de app samld -1

di de console time en

di de en

 

If it is a more general problem with user accounts not pulled properly from for ldap or other authentication servers I recommend providing more details about the issue or open a ticket with support.

 

Thank you,

saleha

340
HarshChavda
Staff
Staff

Created on ‎08-02-2024 09:29 AM

Hello @Gumo ,

 

 Can you check  that the user group used for ssl vpn includes the correct users. Also verify the remote authentication( LDAP or RADIUS)  server config and users are correctly mapping to that or not.

267
0 Kudos
ggarg
Staff
Staff

Created on ‎08-02-2024 01:16 PM

Hello Gumo,

 

Please ensure the groups and ou by running dsquery on your AD that are being used as filter.

Also, create one realm and assign it to one group. After that try connecting and run the following debugs while trying to authenticate.

 

di de application fnbamd -1

di de console timestamp en

di de en

 

By running the following debugs you will find the reason why it is not matching. For instance, no DN found. Make sure you are using those groups on firewall policies too.

Gautam Garg | TAC Engineer
Fortinet TAC - America East
NSE Certified: 1-4, 7 | CCNP
Office Hours: 8:45-5:45 EST (Mon-Fri)
248
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.